Amazon tripled prices for the basic tier of their auth service Cognito
93 points by skorpen 16 hours ago | 61 comments
  • davewritescode 13 hours ago |
    I have no idea why anyone would use Cognito unless they don’t care about availability.

    Almost every other SaaS vendor supports multi-region active-active and Cognito does not.

    • theteapot 13 hours ago |
      What is active-active?
      • illusive4080 13 hours ago |
        Being live in more than one region at the same time
    • theteapot 13 hours ago |
      > Almost every other SaaS vendor supports multi-region active-active and Cognito does not.

      Who are we talking about here? Google and Azure?

      • nostrebored 13 hours ago |
        auth0, okta, ping identity, azure, google
        • ak217 12 hours ago |
          Had some pretty negative experiences with pricing/"enterprise" sales tactics by Okta (which now owns Auth0, and they used the same tactics on both products). I will take AWS pricing shenanigans over that any day.
          • nostrebored 12 hours ago |
            I'll take the scummy sales tactics over the cognito API any day of the week
            • ak217 12 hours ago |
              Given the choice between a crummy API and being driven bankrupt by a SaaS vendor, I prefer a crummy API. I suppose your calculus might look different if you have a lot of money or an employer with great negotiating leverage.
        • mschuster91 12 hours ago |
          Okta has been plagued by security issues [1], never heard of Ping Identity, Azure only makes sense if you get a sweetheart deal and are willing to deal with Azure's crap, and I'd never recommend anyone to use anything Google any more.

          [1] https://www.flyingpenguin.com/?p=54722

          • ak217 12 hours ago |
            Ping is one of the oldest players in the business, they were founded in 2002 and had one of the earliest identity PaaS in the market (at least as far back as 2012). Haven't used their products much though.
          • SgtBastard 6 hours ago |
            Ping Identity run the largest enterprise identity platforms on the planet after merging with ForgeRock last year. Think HSBC, JP Morgan Chase-scale.
        • pquerna 12 hours ago |
          okta is not "active-active" in a multi-region sense, they run in a single active AWS single Region per-tenant. You can pay extra to have a faster failover in a region level failure scenario:

          https://support.okta.com/help/s/article/overview-of-enhanced...

  • brycelarkin 13 hours ago |
    They increased prices, but looks like they finally are revamping the service. This is probably the biggest update in years.
  • akira2501 13 hours ago |
    I think the author is confused. The previous "basic tier" is actually the "lite" tier. The prices are the same, but the number of "free" MAUs is reduced. The "advanced" and "essentials" tier include what seems to be new or expanded features like fully customizable logins and passwordless login options, so you have to pay more to access these features, but it looks like everything Cognito previously provided is in the "lite" tier.
    • cowsandmilk 13 hours ago |
      Post also doesn’t mention this from the pricing that means existing customers in free tier aren’t being suddenly charged:

      Note:

      1. Customers with existing user pools created on or before 10:00am Pacific Time, November 22, 2024 will continue having a free tier of first 50,000 MAUs. Advanced Security Features (ASF) will continue to be priced separately and will not have a free tier, just like it has been priced previously.

      2. Additionally, customers are eligible to create new user pools with Lite tier in their existing accounts and count those MAUs against the free tier of first 50,000 MAUs. To be eligible, customers' accounts must have had at least 1 MAU in the last 12 months on or before 10:00am Pacific Time, November 22, 2024.

    • mooreds 11 hours ago |
      Disclosure: I work for a competitor of Cognito, FusionAuth.

      I agree, the author is totally confused.

      Lite is equivalent was available before, and there's been a lot of improvements to essentials and plus (passkeys, more customization options). It is a bit weird that you have to be in the Plus plan to export user activity logs, but pricing is difficult. Depending on the number of users you had, lite can cost quite a bit more (5x for 60k users).

      The simple pricing, which was one of the key benefits of Cognito, has become more complex. I put together a spreadsheet to show the price changes here: https://docs.google.com/spreadsheets/d/1Nm5BUOjFlqqvaeDTERJm...

      It's pretty clear that while there are increased features, if all you need is login, the pricing has increased significantly if you are above 10k MAU. If you are under 10k users, it's a wash, of course.

      This spreadsheet ignores quota increase, SAML users, and M2M tokens, which are all charged separately.

      However, you can see the plus tier, which includes what was previously "Advanced security features" has gotten significantly cheaper (pricing for that feature sourced from https://medium.com/@demandapi/aws-cognito-advantages-pricing... ). So bravo to them for lowering that.

      There's also complexity in switching tiers, since if you switch from Plus to Lite in the middle of the month, you'll be charged Plus for all users who logged in before the switch and Lite for all after. That's incidental, but still added complexity.

      And, as a sibling comment notes, there's legacy pricing for anyone who has a user pool with at least 1 MAU in the last 12 months. This legacy pricing lasts until Nov 30, 2025, which gives folks a chance to migrate or adjust business models.

  • usr1106 13 hours ago |
    Drug dealer pricing? You start free and once you are on the hook exorbitant increases will come.
    • gonzo41 12 hours ago |
      Drug dealers are sensitive to the price their market can bare, they don't let you use unlimited drugs then charge you at the end of the month.
      • AtlasBarfed 10 hours ago |
        They would if supply was unlimited and cheap but they had monopoly power of the market.

        Oh, hello Purdue Pharma!

  • bootstrpppin 13 hours ago |
    There are so many better Auth providers out there now - and some of them are free for the first 10k or so users (workOs has the first 1M users free!)
    • jonahx 13 hours ago |
      which do you recommend?
      • pajeetz 12 hours ago |
        pocketbase, lucia auth, there are so many options that won't meter you for MAU for a user table in your database.

        authentication is critical, you shouldn't be outsourcing this stuff anyhow. learn how to harden your box, use cloudflare tunnel and dont store passwords in plaintext.

        its really not hard to do and constantly being gaslighted into paying someone to do it for you because everybody else is doing it is just irresponsible.

        • jonahx 12 hours ago |
          Very much agree with your attitude here. What happens is that nice to have features like email reset/email magic login/social logins/etc accumulate and you don't want to be on the hook for implementing them all yourself, especially with other priorities. Ofc there are open solutions for most of these in most popular languages, but I've found even those take non-trivial amounts of time to setup right and test, and often aren't exactly what you want, or have unnecessary complexity.
          • pajeetz 7 hours ago |
            I respect your view. I'm not involved with Lucia btw but i do feel v2 covers a lot of those edge case you described and for almost all sub 100k concurrent sessions I find pocketbase deliver here (if anybody is interested).

            I guess one clear difference is the lack of a marketing department from something well funded. I recall another HN comment here that said the best business model is to take something people can do already and mark it up by selling the pain points, that could be whats also helping all these auth as a service vendors.

        • portaouflop 4 hours ago |
          Please don’t roll your own Auth - there are too many examples where this went wrong.

          Go with a proven, vetted, and trusted open source solution.

      • n2d4 12 hours ago |
        I'm biased but Stack Auth [0] is fully open-source, self-hostable, and we offer reasonably priced managed hosting, if that floats your boat.

        [0] https://github.com/stack-auth/stack

        • bhouston 12 hours ago |
          Looks really nice! Really need Remix and Tan-Stack support though - these are taking a lot of market share from Next.js because they have less confused models.

          I think it shouldn't be too hard. I could even add Remix support for you if you wanted to do a contract (I am not able to do major open source work for free right now.)

        • stevepotter 11 hours ago |
          Wow I just got done integrating NextAuth. I will totally switch to this if you can support my mobile API. My nextjs app has some API routes used by my native iOS app. It was a bit of a hassle with NextAuth and I was surprised at the lack of support and demand for it (am I crazy for using next for a mobile API? I don't think so). If you support that use case (I didn't see anything in the docs), that would be great. I'm already done with the iOS portion, which basically stores the
      • bootstrpppin 2 hours ago |
        I've used a few:

        - Cognito: bad

        - Clerk: ok for small scale applications but they're a small company 'moving fast and breaking things'. It's not stable enough for a enterprise grade product that needs robustness.

        - Auth0: Good but can get expensive

        - WorkOS: Good for B2B, especially if 'directory syncing' is important for your usecase

      • bekacru 3 minutes ago |
  • paxys 13 hours ago |
    Here's the simple thing to know about AWS. They sell two great products (EC2 and S3) below market value so that you get locked in and their sales teams can upsell you on everything else. If you are a customer and are tempted to try out their alphabet soup of managed services because it all seems so convenient – don't.
    • orf 12 hours ago |
      SQS, SNS and Lambda are great as well
      • dyauspitr 12 hours ago |
        What else is left?
        • genghisjahn 12 hours ago |
          DynamoDB
      • danielheath 12 hours ago |
        Those all do what they say on the tin (and do it well enough), but the vendor lockin is very real.
      • irjustin 12 hours ago |
        We LOVE Lambda and SQS.
      • mullingitover 12 hours ago |
        Okay! Apart from sanitation, medicine, education, wine, public order, irrigation, roads, the fresh-water system and public health, what have the Romans ever done for us!?
    • danielheath 12 hours ago |
      > below market value

      Unless you would like your data to egress from an AWS datacenter, in which case they are a very, very long way above market value.

      > two great products

      RDS is also pretty great, and KMS is a pretty good way to store a private key per environment.

    • rafaelmn 12 hours ago |
      EC2 sold below market rate ? S3 I could argue somehow (unconvincingly). But what's the argument for EC2 ?
      • infecto 12 hours ago |
        Who’s actually paying list price?
        • 0xbadcafebee 12 hours ago |
          Anyone with more cash than sense, which is a lot of people. Every business I've worked for hooked up a credit card to AWS and never asked questions, until millions of wasted dollars later. Gotta love daddy corps with billions in reserve, and VC money that pours in like rain. I've been rebuffed multiple times trying to get them to buy SPs and RIs.
        • rescbr 12 hours ago |
          Everybody who isn’t big enough to have an EDP in place.

          Even then, you give some of the discount back as AWS Enterprise Support charges :)

        • usr1106 5 hours ago |
          The majority of the customers.

          (That majority of the customers might stand for less than the turnover of the minority that enjoys discounts. But that does not help you if you belong to the majority.)

      • skeeter2020 10 hours ago |
        Lots of competitors have S3 equivalents with complete coverage of the S3 API interface; it's a pure commodity at this point.
    • yazaddaruvala 12 hours ago |
      Gotta love Step Functions, Lambda, and also Kinesis Firehose!
    • llm_trw 12 hours ago |
      EC2? It has not been under market value for a decade now. It used to take 12-24 months of on demand pricing to buy the hardware outright in the 00s. Today it's under 6 months for every instance type. With GPU instances being measured in weeks.

      S3? Laughs in egress costs.

      AWS considered harmful.

    • AtlasBarfed 11 hours ago |
      ... ?

      Compared to Hetzner? Come on.

      Amazon just prices S3 and EC2 at not-insane rates because they shadow charge you for I/O and network traffic at 10x a competitive rate, things that people don't actually look at when evaluating cloud providers.

    • hintymad 10 hours ago |
      Speaking great products, DynamoDB is pretty good too, to the point that there's no open-source equivalent to it yet. Cassandra probably comes the closest, but it does not have true GSIs, no cross-table transactions, no easy and robust CDCs like DynamoDB streams, and its CAS is dog slow.

      SQS is great too. To many people it's reliable and durable, and implements a pretty robust competitive consumer pattern.

    • hintymad 10 hours ago |
      Lots of comments about EC2's price. My personal experience is that we do not just pay for the computing power of EC2 but the productivity it offers: it's just magical that one can launch an availability group across multiple zones, set up its autoscaling rules, and let it run wild. Netflix used to build its platform on top of EC2s, and the result was that a single engineer can carry a pager for multiple services 24x7, stateful included, and still enjoyed great work-life balance. It's also amazing how hard it is for companies to replicate their own EC2 in their own data centers.
    • mrklol 3 hours ago |
      SES is imo their top tier service!
  • geodel 13 hours ago |
    Makes sense to me. These customers have margins and Amazon has an opportunity.
  • algue 13 hours ago |
    Cant find the pricing change announcement, mind to share a link to it?
  • xyst 12 hours ago |
    And nobody saw this coming with the surge to “cloud”. /s

    I don’t like AWS but god damn they are good marketers and had some good leadership that actually was ahead of the curve. Instead of min/maxing the quarterly earning calls.

    Convince a nepo C-level executive of your offerings, wave your massive AWS dick while presenting your deck, throw in a few credits, keep it “cheap” for a number of years. Once the competition fizzes out, or you buy them up. Then nix those teaser rates and jack it up 100X over a decade.

    Now AWS is pumping for the next millenia.

    • kjellsbells 12 hours ago |
      Let me ask you, non-combatively: do you think they can keep this up?

      Their stock is bumping along at $200. If they can keep people coming in and staying, then the stock can go brrrr for decades. But if they cant, eg the trickle of CTOs repatriating workloads to prem becomes a roar, it wont, and AWS will turn into IBM.

      You clearly have strong opinions on how AWS operates, but their stock holders are happy bunnies. What's your prediction?

      • llm_trw 11 hours ago |
        AWS is the new IBM.

        The question is if we're living in the new 1970s or 2000s.

  • mooreds 12 hours ago |
    Here's some reddit discussion on the same topic, which started with a link to the announcement blog: https://www.reddit.com/r/aws/comments/1gxgowz/improve_your_a...
  • bilalq 11 hours ago |
    I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader. If you're someone who will go past the free tiers for Cognito, the rest of your AWS spend will almost certainly be a lot more. Take advantage of that and stop measuring the Cognito team's success by their revenue and profitability. Usage alone should be the goal. You're still billed for all the lambda processing that happens on various Cognito hooks. You're still billed for all the API requests these Cognito users make.

    The auth service space is so strange. Almost every vendor is ridiculously expensive for any B2C use-case. Cognito, with its free tier of 50k MAU, was one of the few relatively cheap options. Even the "open source core" offerings in the space are crazy if you use their hosted version. And their self-hosted versions inevitably end up requiring you to run Postgres, Redis cluster, a background job running task, etc. If you're not getting Cognito for cheap, you're better off just using libraries to roll your own auth service/module instead of going for any off the shelf auth SaaS or self-hosted solution.

    • donavanm 8 hours ago |
      > I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader

      AWS team\org business priorities, like P&L computation, changed pretty drastically in 2022-23.

      Historically there were a lot of services built, run, and measured on the idea of solving customers diverse needs and making AWS a better place to run your business. This isnt a “loss leader” per se, but 1) profitability may not be your highest business prioirty 2) customers & shareholders valued growth & diversity of offerings above almost everything else 3) business units would set forward looking pricing based on marginal rates 2-3 years out under better utilization models 4) services would not-uncommonoly use “attribution” or “flow through” revenue models for P&L. Eg autoscaling doesnt have a meaningfully price, but it drives (hypothetically) 3% of EC2 instance hours. Autoscaling than books a portion of the 3% of instance hour revenue to their profit center. Cognito (or Route 53 or SSM where I worked) would use this sort of P&L model.

      Circa 2022 AMZn shareholders, amazon execs, and the market more broadly turned to Revenue and Profit as the goal, no longer growth per se. This drastically changed a lot of internal business models. No more “free rides”, book revenue, define and execute a plan to be a many million dollar direct revenue business, the old “growth and better together” story wasnt selling.

      And i dont think thats a bad thing per se, as a shareholder. I appreciate the focus on proving your value via pricing and usage. But there will be some sad “abandonware” and service shutdowns over the next few years.

  • disambiguation 7 hours ago |
    Step 1 lock em in

    Step 2 jack up the prices

    "The greatest trick aws ever played was convincing engineers that rolling your own infra is bad and scary."